Yes, it is possible. It's just a little more involved than some other linux-based distros like smoothwall.
Generally, you define a network service which consists of the tcp/udp ports you want to allow or forward. Then, set up a DNAT/SNAT rule which is really the "port forwarding." You can do things like change port 1078 incoming to go to a ip on your lan on port 2876 for example. Then, you go to packet filter and allow the traffic through.
This is a dumbed down example. If you let us know exactly what you're trying to do, we might be able to help you better.
Port forwarding for hosting services is done like this:
1. Define the internal host as a network with a 32 bit netmask in the definitions screen.
2. If applicable, alias the appropriate public IP to the internet interface.
3. If necessary, define the service port(s) in definitions. A lot are already set up by default.
4. Set up DNAT pointing as follows:
Match source no match. Match destination public IP you wish to listen on. Service set to the service you wish to listen for as defined earlier in definitions. Change source: no change. Change destination: set to the internal ip previously defined. Change service: no change.
That will do the port forwarding. The last step is to go to the packet filter and set:
From: Any (If you want it to be "publicly" available). Service: Previously defined service. To: Internal IP of the machine hosting the service. Action: Allow.
I was going through this post and using it to setup my own port forwarding, and am curious if there is a way to use a service group for the service as opposed to using individual services. Seems logical to me, works in the packet filtering. Just curious if I am missing something. Maybe there is an issue there of not being able to redirect ports or something. Anyway, just curious.
Interesting, you're right. Not sure why service groups can't be used rather than just normal service definitions. I'm guessing it was just a design decision made by the ASL creators. -joe
I haven't found a way to port map a service group.
Based on what I know about the underlying mechanism, I can only guess that it is slightly more complicated to get the NAT scripts working for groups than it is for the packet filter.
Actually, there is a bit of news on this. We ran into the inability to use service groups on a DNAT and discussed this with Astaro. The feedback we got was that this problem was being looked at and worked on. No one can say for sure, but I think this might appear in a future up2date or possible the next version. The reason why this feature is needed is because some programs use multiple ports. As it stands now, you've got to create a separate DNAT rule for each instance, which is a royal pain in the butt.
